topic Re: Access rule and NAT in Network Security

Access rule and NAT

Nimika123 — Tue, 12 Mar 2019 03:27:33 GMT

I have cisco ASA 5510 and am using ASDM

I am new to ASA and am trying t understand on what to do for the below

1. I have public ip 4.79.205.89 ---------> FW------> 192.168.10.1 ( Apool interface )

for this to work would i need an Access rule and NAT rule both ? i need to open up the port for tcp. If something is being sent out of 192.168.10.1 i need to do NAT to 4.79.205.89

i have 2 interface external and Apool (192.168.10) and spool 192.168.30 network

a) NAT rule will be for interface Apool correct? is the static NAT 2 way ? meaning

how the traffic comming from outside knows that it will need to go to 192.168.10.1

if i set the NAT rule below it seems that whatever is sent from 192.168.10.1 the ip needs to translate to 4.79.205.89 but how does it know that the traffic from outside sent to 4.79.205.89 needs to go to 192.168.10.1

interface: App pool

source: 192.168.10.1

Translated:

interface: external

destinition: 4.79.205.89

b) how do i allow traffic from public ip to communicate with 192.168.10 which is behind FW

I added Acceses rule for interface external

Action:permit

source:any

destinition:4.79.205.89

port:tcp

Thanks

Sagar

Access rule and NAT

Jon Marshall — Thu, 09 Jan 2014 20:52:06 GMT

Sagar

What exactly is the TCP port you need to allow ie. what application is on 192.168.10.1 that you want to allow access to from the internet.

Do you have access-list configured on any interfaces already ?

What version of software are you using ?

Jon

Access rule and NAT

Nimika123 — Thu, 09 Jan 2014 21:05:48 GMT

Hi I am using ASDM 6.2 i need to enable ssh port 22 it is an sftp server

Access rule and NAT

Jon Marshall — Thu, 09 Jan 2014 21:11:54 GMT

Sagar

Unfortunately i'm not familiar with ASDM. Attached is the config guide for ASDM for setting up static NAT -

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/nat.html#wp1072634

you would also need to add a rule to the acl applied to your outside interface (assuming you have one) to allow the traffic.

If you are happy to use the CLI i can supply the actual commands. If you want to do this can you post your current config or tell me which version of software is running on the ASA.

Jon

Access rule and NAT

Nimika123 — Thu, 09 Jan 2014 21:15:12 GMT

Hi Here is the show version

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(5)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"

oshac5510fw up 247 days 1 hour

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

Slot 1: ATA Compact Flash, 512MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Re: Access rule and NAT

Jon Marshall — Thu, 09 Jan 2014 21:20:36 GMT

Sagar

static (inside,outside) tcp 4.79.205.89 22 192.168.10.1 22

access-list outside_in permit tcp any host 4.79.205.89 eq ssh

couple of points -

1) i have assumed that 192.168.10.1 is reachable from the inside interface

2) if you already have an acl applied to the outside interface then change the name of the acl in the above. If you don't have an acl applied to the outside interface you need to add this additional command -

access-group outside_in in interface outside

Jon

Re: Access rule and NAT

jimsmith — Sun, 09 Dec 2018 20:05:56 GMT

If you add another ethernet interface, let's say a USB one, and manually configure it with an IP, say 192.168.10.1 - check this link, the same thing happens above with free routes. Assumne you assigned the USB ethernet adapter 192.168.10.1 with subnet mask /24 (or 255.255.255.0).

Re: Access rule and NAT

Kasun Bandara — Tue, 11 Dec 2018 06:21:00 GMT

Hi,

you need to have a port forward NAT rule and ACL for this. hope below link help with it.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html#pat

good luck